In an attempt to access online academic journals, hackers working on behalf of the Iranian government stole the usernames and passwords of 62 University of Oregon professors from 2014 to 2017, according to U.S. Department of Justice documents obtained by the Emerald. The cyberattack was a coordinated effort to steal academic data and intellectual property from more than 300 universities located in the U.S. and abroad.
The University of Oregon confirmed on Friday that hackers, who worked for a company connected to the Iranian government known as the Mabna Institute, did not seek any UO specific data or research. Instead, the hackers were looking to use login credentials to access academic journals that UO faculty members have subscriptions to.
“We have no indication based upon internal forensics that any UO data was stolen,” UO spokeswoman Molly Blancett wrote in an email statement. “The FBI confirmed that they had no indication in their investigation that UO data was a Mabna target.”
In February 2018, the U.S. District Court of Southern District of New York filed a sealed indictment that formally charged nine Iranians with the “university hacking campaign.” According to the indictment, the coordinated effort targeted over 100,000 professors and about 3,800 U.S. professors fell victim to the campaign. As a result 31.5 terabytes of academic data and intellectual property, which cost universities almost $3.4 billion to obtain and access, was stolen.
The data and stolen login credentials were used by Iranian intelligence services and also sold to customers, such as public universities, in Iran who could then access online library systems, according the indictment.
In October 2017, the DOJ sent UO a letter stating that professors’ accounts had been targeted by hackers since 2014. The letter contained the usernames and passwords for the accounts of 62 UO professors.
The letter also contained a grand jury subpoena from the Southern District of New York requesting “information setting forth the annual costs associated with University of Oregon’s online academic journal subscriptions and eBooks/monographs available electronically to University of Oregon professor accounts, from the 2013-2014 academic year to present.”
According to the letter, the DOJ had reason to believe the hackers were targeting academic data and online academic databases.
“Upon receiving the subpoena, the UO Information Security Office immediately took remediation steps with accounts of the impacted faculty, and performed internal forensics on our systems,” Blancett wrote. “Our internal investigation found no indicators of UO data access or theft. The FBI confirmed this, with their investigation also finding no indication that UO individual data was a target or was stolen.”
The technique the hackers used to take the login credentials is known as “spearphishing.” The hackers, posing as professors from a foreign university, sent faculty members a message containing a link that appeared similar to a legitimate UO domain.
In the letter, the DOJ said it believed that a fake login screen that captured the username and password would appear after the user clicked the link.
After the DOJ’s indictment became public in March, UO released a statement saying that the attack had “missed” the university, but UO Information Services recommended “beefing up passwords and being on guard.”
As a result of the hack, the UO launched a program that aims to reduce the number of faculty and staff members who may become victims of phishing.
“We have recently launched an online educational training for cybersecurity for faculty and staff to help prevent being victim of a phishing attempt,” Blancett wrote. “It is available through MyTrack, and we have done targeted outreach on campus to encourage adoption. We are in the process of rolling out communication widely.”